@invect/rbac 0.0.1 → 0.0.3

package/README.md

@@ -1,103 +1,65 @@
-# @invect/rbac
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="../../../.github/assets/logo-light.svg">
+    <img alt="Invect" src="../../../.github/assets/logo-dark.svg" width="50">
+  </picture>
+</p>
 
-RBAC (Role-Based Access Control) plugin for Invect — adds flow sharing, permission management UI, and access control panels.
+<h1 align="center">@invect/rbac</h1>
 
-## Requirements
+<p align="center">
+  Role-based access control plugin for Invect.
+  <br />
+  <a href="https://invect.dev/docs/plugins"><strong>Docs</strong></a>
+</p>
 
-This plugin **requires** the `@invect/user-auth` plugin to be loaded for session resolution. RBAC handles *authorization* on top of the authentication layer that `@invect/user-auth` provides.
+---
 
-## Installation
+Adds flow-level permissions, sharing UI, and access control enforcement to Invect. Requires [`@invect/user-auth`](../auth) for session resolution.
+
+## Install
 
 ```bash
 pnpm add @invect/rbac
 ```
 
-## Usage
-
-### Backend
+## Backend
 
-```typescript
-import { betterAuthPlugin } from '@invect/user-auth';
+```ts
+import { authentication } from '@invect/user-auth';
 import { rbacPlugin } from '@invect/rbac';
 
-app.use('/invect', createInvectRouter({
-  databaseUrl: 'sqlite://...',
-  auth: {
-    enabled: true,
-    useFlowAccessTable: true,
-  },
+const invectRouter = await createInvectRouter({
+  database: { type: 'sqlite', connectionString: 'file:./dev.db' },
+  encryptionKey: process.env.INVECT_ENCRYPTION_KEY!,
   plugins: [
-    betterAuthPlugin({ auth }),  // Auth MUST be registered first
-    rbacPlugin({
-      useFlowAccessTable: true,
-    }),
+    authentication({ globalAdmins: [{ email: 'admin@example.com', pw: 'secret' }] }), // Must come first
+    rbacPlugin(),
   ],
-}));
+});
+
+app.use('/invect', invectRouter);
 ```
 
-### Frontend
+## Frontend
 
 ```tsx
-import { Invect } from '@invect/frontend';
+import { Invect } from '@invect/ui';
 import { rbacFrontendPlugin } from '@invect/rbac/ui';
 
-function App() {
-  return (
-    <Invect
-      apiBaseUrl="http://localhost:3000/invect"
-      plugins={[rbacFrontendPlugin]}  // When plugin system is wired
-    />
-  );
-}
-```
-
-### Using components directly (before plugin system is wired)
-
-```tsx
-import { RbacProvider, useRbac, ShareFlowModal, FlowAccessPanel } from '@invect/rbac/ui';
+<Invect apiBaseUrl="http://localhost:3000/invect" plugins={[rbacFrontendPlugin]} />;
 ```
 
-## What's Included
-
-### Backend Plugin (`@invect/rbac`)
-- Plugin endpoints for flow access management (namespaced under `/rbac/`)
-- UI manifest endpoint (`GET /rbac/ui-manifest`)
-- Authorization hooks for flow-level ACL enforcement
-- Auth dependency checking (warns if `@invect/user-auth` is missing)
-
-### Frontend Plugin (`@invect/rbac/ui`)
-- **RbacProvider** — Context provider that fetches and caches user identity/permissions
-- **useRbac()** — Hook for checking permissions in components
-- **ShareButton** — Flow header action that opens the share modal
-- **ShareFlowModal** — Modal for granting/revoking flow access
-- **FlowAccessPanel** — Flow editor panel tab showing access records
-- **AccessControlPage** — Admin page for viewing roles and permissions
-- **UserMenuSection** — Sidebar component showing current user info
+The plugin contributes sidebar items, an access management page, a flow-level access panel tab, and a share button in the flow editor header.
 
-### Shared Types (`@invect/rbac/types`)
-- `FlowAccessRecord`, `GrantFlowAccessRequest`, `FlowAccessPermission`
-- `AuthMeResponse`, `RolePermissionEntry`
-- Plugin UI manifest types
+## Exports
 
-## Package Exports
+| Entry Point          | Content                                                                                     |
+| -------------------- | ------------------------------------------------------------------------------------------- |
+| `@invect/rbac`       | Backend plugin (Node.js)                                                                    |
+| `@invect/rbac/ui`    | Frontend plugin — `rbacFrontendPlugin`, `RbacProvider`, `ShareFlowModal`, `FlowAccessPanel` |
+| `@invect/rbac/types` | Shared types — `FlowAccessRecord`, `FlowAccessPermission`, etc.                             |
 
-| Entry Point | Import | Content |
-|-------------|--------|---------|
-| `@invect/rbac` | `import { rbacPlugin } from '@invect/rbac'` | Backend plugin (Node.js) |
-| `@invect/rbac/ui` | `import { rbacFrontendPlugin } from '@invect/rbac/ui'` | Frontend plugin (Browser) |
-| `@invect/rbac/types` | `import type { FlowAccessRecord } from '@invect/rbac/types'` | Shared types |
+## License
 
-## Architecture
-
-```
-@invect/user-auth (authentication)
-        │
-        │ provides InvectIdentity via session resolution
-        │
-        ▼
-@invect/rbac (authorization)
-  ├── backend: hooks + endpoints
-  │   └── delegates to core's FlowAccessService + AuthorizationService
-  └── frontend: provider + components
-      └── fetches /auth/me, renders access management UI
-```
+[MIT](../../../LICENSE)

package/dist/backend/index.cjs

@@ -9,8 +9,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 * ```ts
 * import { resolveTeamIds } from '@invect/rbac/backend';
 *
-* betterAuthPlugin({
-*   auth,
+* auth({
+*   auth: betterAuthInstance,
 *   mapUser: async (user, session) => ({
 *     id: user.id,
 *     name: user.name ?? undefined,
@@ -198,6 +198,58 @@ async function listAllDirectFlowAccess(db, flowId) {
 	const now = Date.now();
 	return rows.map(normalizeFlowAccessRecord).filter((record) => !record.expiresAt || new Date(record.expiresAt).getTime() > now);
 }
+async function grantDirectFlowAccess(db, input) {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const existingRows = await db.query("SELECT id FROM flow_access WHERE flow_id = ? AND user_id IS ? AND team_id IS ?", [
+		input.flowId,
+		input.userId ?? null,
+		input.teamId ?? null
+	]);
+	if (existingRows.length > 0) {
+		const existingId = String(existingRows[0].id);
+		await db.execute("UPDATE flow_access SET permission = ?, granted_by = ?, granted_at = ?, expires_at = ? WHERE id = ?", [
+			input.permission,
+			input.grantedBy ?? null,
+			now,
+			input.expiresAt ?? null,
+			existingId
+		]);
+		return {
+			id: existingId,
+			flowId: input.flowId,
+			userId: input.userId ?? null,
+			teamId: input.teamId ?? null,
+			permission: input.permission,
+			grantedBy: input.grantedBy ?? null,
+			grantedAt: now,
+			expiresAt: input.expiresAt ?? null
+		};
+	}
+	const id = crypto.randomUUID();
+	await db.execute("INSERT INTO flow_access (id, flow_id, user_id, team_id, permission, granted_by, granted_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [
+		id,
+		input.flowId,
+		input.userId ?? null,
+		input.teamId ?? null,
+		input.permission,
+		input.grantedBy ?? null,
+		now,
+		input.expiresAt ?? null
+	]);
+	return {
+		id,
+		flowId: input.flowId,
+		userId: input.userId ?? null,
+		teamId: input.teamId ?? null,
+		permission: input.permission,
+		grantedBy: input.grantedBy ?? null,
+		grantedAt: now,
+		expiresAt: input.expiresAt ?? null
+	};
+}
+async function revokeDirectFlowAccess(db, accessId) {
+	await db.execute("DELETE FROM flow_access WHERE id = ?", [accessId]);
+}
 async function listAllEffectiveFlowAccessForPreview(db, flowId, overrideScopeId) {
 	const direct = await listAllDirectFlowAccess(db, flowId);
 	const scopeId = overrideScopeId === void 0 ? await getFlowScopeId(db, flowId) : overrideScopeId;
@@ -280,8 +332,17 @@ async function resolveAccessChangeNames(db, entries) {
 		source: entry.source
 	}));
 }
-function rbacPlugin(options = {}) {
-	const { useFlowAccessTable = true, adminPermission = "flow:read", enableTeams = true } = options;
+function rbac(options = {}) {
+	const { frontend, ...backendOptions } = options;
+	return {
+		id: "rbac",
+		name: "Role-Based Access Control",
+		backend: _rbacBackendPlugin(backendOptions),
+		frontend
+	};
+}
+function _rbacBackendPlugin(options = {}) {
+	const { adminPermission = "flow:read", enableTeams = true } = options;
 	const teamsSchema = enableTeams ? {
 		flows: { fields: { scope_id: {
 			type: "string",
@@ -445,10 +506,10 @@ function rbacPlugin(options = {}) {
 				"rbac_scope_access"
 			] : []
 		],
-		setupInstructions: "The RBAC plugin requires better-auth tables (user, session). Make sure @invect/user-auth is configured, then run `npx invect generate` followed by `npx drizzle-kit push`.",
+		setupInstructions: "The RBAC plugin requires user-auth tables (user, session). Make sure @invect/user-auth is configured, then run `npx invect-cli generate` followed by `npx drizzle-kit push`.",
 		init: async (ctx) => {
-			if (!ctx.hasPlugin("better-auth")) ctx.logger.warn("RBAC plugin requires the @invect/user-auth plugin. RBAC will work with reduced functionality (no session resolution). Make sure betterAuthPlugin() is registered before rbacPlugin().");
-			ctx.logger.info("RBAC plugin initialized", { useFlowAccessTable });
+			if (!ctx.hasPlugin("user-auth")) ctx.logger.warn("RBAC plugin requires the @invect/user-auth plugin. RBAC will work with reduced functionality (no session resolution). Make sure auth() is registered before rbac().");
+			ctx.logger.info("RBAC plugin initialized");
 		},
 		endpoints: [
 			{
@@ -511,13 +572,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					if (!ctx.identity) return {
 						status: 401,
 						body: {
@@ -534,7 +588,7 @@ function rbacPlugin(options = {}) {
 					};
 					return {
 						status: 200,
-						body: { access: await ctx.core.listFlowAccess(flowId) }
+						body: { access: await listAllDirectFlowAccess(ctx.database, flowId) }
 					};
 				}
 			},
@@ -548,13 +602,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					const { userId, teamId, permission, expiresAt } = ctx.body;
 					if (!userId && !teamId) return {
 						status: 400,
@@ -585,7 +632,7 @@ function rbacPlugin(options = {}) {
 					};
 					return {
 						status: 201,
-						body: await ctx.core.grantFlowAccess({
+						body: await grantDirectFlowAccess(ctx.database, {
 							flowId,
 							userId,
 							teamId,
@@ -606,13 +653,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId or accessId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					if (!ctx.identity) return {
 						status: 401,
 						body: {
@@ -627,7 +667,7 @@ function rbacPlugin(options = {}) {
 							message: "Owner access is required to manage sharing"
 						}
 					};
-					await ctx.core.revokeFlowAccess(accessId);
+					await revokeDirectFlowAccess(ctx.database, accessId);
 					return {
 						status: 204,
 						body: null
@@ -639,13 +679,6 @@ function rbacPlugin(options = {}) {
 				path: "/rbac/flows/accessible",
 				isPublic: false,
 				handler: async (ctx) => {
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					const identity = ctx.identity;
 					if (!identity) return {
 						status: 401,
@@ -1324,7 +1357,6 @@ function rbacPlugin(options = {}) {
 				} catch {}
 			} : void 0,
 			onAuthorize: async (context) => {
-				if (!useFlowAccessTable) return;
 				const { identity, resource, action } = context;
 				if (!identity || !resource?.id) return;
 				if (!FLOW_RESOURCE_TYPES.has(resource.type)) return;
@@ -1359,7 +1391,7 @@ function rbacPlugin(options = {}) {
 	};
 }
 //#endregion
-exports.rbacPlugin = rbacPlugin;
+exports.rbac = rbac;
 exports.resolveTeamIds = resolveTeamIds;
 
 //# sourceMappingURL=index.cjs.map